Who should be responsible for financial fraud?

Improvements in payment protections are shifting the liability for fraud to the least-secure party

By Deb Radcliff

CSO|

$45 million was stolen from ATMs around the world in a matter of hours. In what a U.S. Attorney called a "21st-century bank heist," a New York-based organized crime ring in February hacked into financial databases, stole prepaid debit card data, removed their withdrawal limits, cloned new cards, and then sent "mules" (people commissioned to conduct the transactions) to make 4,500 ATM withdrawals worldwide.

With four perpetrators caught and indictments issued in New York, victims on all sides of this crime are now left to sort out who assumes the losses. Does the liability rest with the financial institutions that were initially hacked and whose data was used to manipulate the withdrawal limits and load balances onto the cards? Or are the financial institutions that processed the transactions responsible?

"The law likes to impose liability on the party that is best able to avoid harm. But liability is all over the place in the area of financial payments fraud," says Mark Rasch, principal attorney at Rasch Technology and Cyberlaw. "Recovering money from those who are liable is also difficult and expensive: You have to file the lawsuits and go through discovery, which can take years."

As standards for pattern recognition and authentication change, so do the legal challenges that come with them. Liability rules are changing especially quickly in relation to card readers, corporate accounts and card-not-present transactions.

The trouble with magnetic stripes

Of these three areas of financial systems fraud, the most dramatic changes are occurring in card and card-reader protections for U.S. merchants making transactions through ATMs and other card-reader systems.

"Although statistics are hard to come by, card fraud has been increasing steadily over the past few years in the U.S.," says Randy Vanderhoof, executive director of the Smart Card Alliance. "Meanwhile, card fraud has been decreasing in Europe and elsewhere where they are using chip-enabled EMV smart cards rather than mag stripes." The EMV (EuroPay, MasterCard and Visa) open framework promotes interoperable, chip-enabled payment cards.

In the U.K., where EMV cards are the dominant form of payment, counterfeit card fraud dropped by two-thirds (from 150 million pounds to less than 50 million pounds) between 2008 and 2010, according to a 2011 presentation by the Federal Reserve Bank of Kansas City. And from January 2010 to September 2011, FICO, a predictive-analysis company, reported a 60 percent decline in counterfeit card fraud in Europe, where smart cards are the dominant form of payment.

The risk in using magnetic stripes is that the data they contain is static and includes the cardholder's name and address, the financial institution, the 16-digit account number, the expiration date and even the security confirmation code on the back of the card. All of which means the information on the stripe can be used to make new cards, explains Vanderhoof.

"As long as you are able to read static data that is encoded on the back of a magnetic stripe, criminals can replicate that data onto another piece of plastic, just like the original," he says.

This weakness made it possible for the criminals and their global network of mules to quickly steal $45 million using counterfeit cards.

In an EMV chip-based smart payment card, this data is stored securely within the chip, meaning that only authorized merchant terminals can read the stored data and it cannot be reused to create fraudulent transactions, Vanderhoof continues.

Instead, each transaction processed with an EMV chip card and card reader is assigned a unique identifier. If criminals do break the card or terminal's encryption programs, the data they see is good for one use only. The data stream processed through the terminal is also unique, so it cannot be re-used even if it is captured by wireless sniffers listening in from the parking lot, for example.

Deadlines meet resistance

In 2011 and 2012, MasterCard, Visa, Discover and American Express announced they were accelerating plans to issue EMV smart cards and were already using them for applications such as college credit cards and cards for travelers who want to use them internationally.

The next stage is to get the card readers compliant with the new smart payment cards, says John Graham, vice president of global information assurance and risk for First Data Corporation, one of the largest payment processors in the U.S., with infrastructure in 34 countries.

"The infrastructure is there to support EMV cards, but there are costs to banks and financial institutions that send out smart cards," Graham says. "We've also ensured our back-end systems and mainframes are able to accept these new forms of transactions."

According to EMV Connection, approximately 1.5 billion EMV cards have been issued globally, and 21.9 million terminals were accepting EMV cards as of Q4 of 2011. This represents 44.7 percent of the total payment cards in circulation and 76.4 percent of point-of-sale terminals installed outside the U.S., where statistics are harder to find.

Under the EMV framework, merchants that process transactions through card readers have until October 2015 to make their systems ready to handle chip-enabled readers.

If merchants cannot process EMV payment cards and they are defrauded by counterfeit data in magnetic-stripe cards, liability for losses will begin to shift to the merchants that have not upgraded payment card readers, according to Vanderhoof. Likewise, if merchants can process EMV payment cards and the card issuer is still allowing its customer to use a non-EMV card, that issuer will begin to assume the liability for fraudulent transactions.

While large merchants stand ready to meet the EMV deadline, small mom-and-pop operations are the hardest to convince and need more education, says Graham, adding that, in some cases, small business are still using old, analog lines to conduct transactions.

The transition to smart cards will likely occur in phases, say experts.

"For some, it makes sense to make the upgrade to EMV-enabled readers as soon as possible, and for others it may be a phased-in approach that may not meet the EMV deadlines as they now stand," says Steve Kenneally, vice president for the center of regulatory compliance at the American Bankers Association.

Kenneally notes that earlier this year, the ATM Industry Association asked for a push back on the deadlines imposed to them by Visa. As a result, most of the brands behind EMV smart cards are imposing their own liability shift dates for ATMs. For example, MasterCard will fully shift liability for card readers onto merchants on Oct. 1, 2016, while Visa will shift liability to its merchants in October of 2017, according to the financial publication and resource group ATM Marketplace.

MasterCard predicts that about 70 percent of those with card processing terminals will make the October 2015 compliance deadline and has even laid out its own liability shift schedule, which currently extends to 2017 for gas stations. (Gas stations are one of the first places criminals test cloned cards to see if they will process, according to experts.)

Most guidelines take into account that for some time during the transition, merchants will need to be able to process both mag stripe and chip-enabled cards. MasterCard provides incentives for merchants to become EMV-compliant, such as audit relief to organizations with readers that can handle both forms of payments.